Court approves first-of-its-kind data breach settlement

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/031714-court-approves-first-of-its-kind-data-breach-279797.html?source=nww_rss

Courts have generally tended to dismiss consumer class-action lawsuits
filed against companies that suffer data breaches if victims can't show
that the the breach directly caused a financial hit.

A federal court in Florida broke the mold by approving a $3 million
settlement for victims of a data breach in which personal health
information was exposed when multiple laptops containing the unencrypted
data were stolen.

The Dec. 2009 theft of laptops belonging to AvMed, a Florida-based health
insurer, exposed the patient records of tens of thousands of its customers.
Several victimes later filed a putative class action lawsuit against AvMed.

The plaintiffs suffered no direct losses or identity theft from the breach
but nevertheless accused AvMed of negligence, breach of contract, breach of
fiduciary duty and unjust enrichment

The U.S. District Court for the Southern District of Florida, which heard
the case, dismissed the claims against AvMed two separate times.

However, upon appeal by the plaintiffs, the U.S. Court of Appeals for the
Eleventh Circuit allowed several of the claims, including those pertaining
to negligence and breach of contract, to remain, and remanded the case back
to the district court.

When AvMed again filed a motion to dismiss the class action claims yet
again, the district court refused to do so, prompting the health insurer
and the plaintiffs to enter into settlement talks.

Under the agreement, $30 of each breach victim's insurance premiums over
the past three years will be reimbursed. The plaintiffs contended that
AvMed should have been spending $30 per users to bolster its data security
controls.

Under the agreement, AvMed has also agreed to pay actual damages to anyone
whose identity was stolen as a result of the breach.

In addition the company agreed to implement new password protocols and
install disk encryption and GPS tracking tools on its laptops.

The district court handling the case, approved the settlement on Feb. 28,
but only a handful of law blogs have so far reported on it.

The settlement is believed to be the first in which victims of a data
breach are compensated without having to show they suffered any losses from
the theft of their personal data.

Numerous courts around the country have long refused to entertain similar
claims, maintaining that consumers can't claim damages from a data breach
unless they can prove they suffered losses. Courts have noted that
consumers cannot make damage claims based on the chance that they could
become identity theft victims sometime in the future.

"I believe this is one of the first cases settling under an unjust
enrichment theory," said Steve Larson a data breach attorney with law firm
Stoll Berne. "The injured parties are saying, 'I paid premiums and as part
of what I paid you, I expected you to keep my data secure.'"

The ruling could serve as a blueprint for other courts, Larson said.

"I have heard lawyers advocating this theory, but this is the first case
where I have seen a settlement so directly tied that way," he said. "There
will now be precedent to support a claim by plaintiffs that a portion of
their health insurance premiums or their payment for medical care should
have been used to improve data security."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!